Browse Definitions:
Definition

gummy bear hack

A gummy bear hack is an attempt to fool a biometric fingerprint scanner by using a gelatin-based candy to hold a fingerprint.

Low-end optical fingerprint scanners can often be fooled with a simple image of a fingerprint, while more sophisticated devices check for characteristics such as electrical current and blood flow. As it turns out, however, the capacitance of gelatin is similar to that of a human finger. Furthermore, if a gelatin-based fingerprint is attached to a living finger, the method could fool those fingerscanners as well because the device would detect those characteristics through the clear gelatin.

The idea behind the gummy bear hack originated with 2002 research led by Japanese cryptographer Tsutomu Matsumoto. Matsumoto and his team used clear gelatin to make artificial fingers that they then used to fool fingerprint scanners. The gelatin-based finger was successful in fooling all 11 devices tested. Reporting on the experiment in the Crypto-Gram, security expert Bruce Schneier commented that gelatin is “the same substance gummi bears are made of.”

When some Australian schools began using fingerprint scanners as a “sign-in” method in 2010, there were media reports suggesting that students could fool the system using gummy bears. The suggested method was simple: impress your fingerprint into a gummy bear and then get an accomplice to put the gummy bear over his own finger to register your attendance. Although there have been many reports that gummy bears could be used in this manner, there are no reports of anyone actually doing so.

A group of students from Washington & Jefferson College’s Information Technology Leadership program attempted to test the theory. The students made fingerprint casts from a variety of substances, including not only gummy bears but also modeling clay, Play-Doh and Silly Putty and tested the casts against Microsoft's Fingerprint Reader and an APC Biometric Security device. Some of the substances held fingerprints better than the others but the gummy bears were not successful. From the class’s report:

None of us was able to get a gummy bear to hold a fingerprint, either on the flat back surface, or by tearing the gummy bear open and trying to create an impression on the softer interior. It was theorized that perhaps a superior quality of gummy bear, instead of the generic brand purchased, or a gummy candy with a large surface area would work better. But for the remainder of the experiment the gummy bears became simply a form of sustenance.

 

Learn more:

The original research report is “Impact of Artificial ‘Gummy’ Fingers on Fingerprint Systems.”

Here’s the report from the students at Washington and Jefferson College.

ZDNet Australia reported on a "Sweet bypass for student fingerprint scanner."

See how gelatin can be used to successfully defeat a fingerprint scanner in this Mythbusters video.

This was last updated in December 2010

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Big Bold Bears will work. They are the size of a finger and will hold the print. Slice them lengthways to make thinner gelatin so the scanners can detect current and blood flow through the gummy bear.
Cancel
Still, there's something ironically amusing about the idea of a high-tech security system possibly being undermined by a common candy item. I suppose Swedish fish would be too hard. <*))swedish))-{
Cancel

-ADS BY GOOGLE

File Extensions and File Formats

Powered by:

SearchCompliance

  • internal audit (IA)

    An internal audit (IA) is an organizational initiative to monitor and analyze its own business operations in order to determine ...

  • pure risk (absolute risk)

    Pure risk, also called absolute risk, is a category of threat that is beyond human control and has only one possible outcome if ...

  • risk assessment

    Risk assessment is the identification of hazards that could negatively impact an organization's ability to conduct business.

SearchSecurity

  • intrusion detection system (IDS)

    An intrusion detection system (IDS) is a system that monitors network traffic for suspicious activity and issues alerts when such...

  • security information and event management (SIEM)

    Security information and event management (SIEM) is an approach to security management that seeks to provide a holistic view of ...

  • polymorphic virus

    A polymorphic virus is a harmful, destructive or intrusive type of malware that can change or 'morph,' making it difficult to ...

SearchHealthIT

  • accountable care organization (ACO)

    An accountable care organization (ACO) is an association of hospitals, healthcare providers and insurers in which all parties ...

  • patient engagement

    Patient engagement is an ideal healthcare situation in which people are well-informed about -- and motivated to be involved -- in...

  • personal health record (PHR)

    A personal health record (PHR) is a collection of health-related information that is documented and maintained by the individual ...

SearchDisasterRecovery

  • business continuity and disaster recovery (BCDR)

    Business continuity and disaster recovery (BCDR) are closely related practices that describe an organization's preparation for ...

  • business continuity plan (BCP)

    A business continuity plan (BCP) is a document that consists of the critical information an organization needs to continue ...

  • call tree

    A call tree -- sometimes referred to as a phone tree -- is a telecommunications chain for notifying specific individuals of an ...

SearchStorage

SearchSolidStateStorage

  • hybrid hard disk drive (HDD)

    A hybrid hard disk drive is an electromechanical spinning hard disk that contains some amount of NAND Flash memory.

Close